Underground cybercrooks are selling digital certificates that allow code signing of malicious instructions, creating a lucrative and expanding cottage industry in the process, according to new research from threat intelligence firm InfoArmor.
In one case, a hacker tricked a legitimate certificate authority into issuing digital certificates for malware before marketing a cyber-espionage tool called GovRAT.
InfoArmor found posts promoting code-signing certificates in various underground marketplace. Hackers price these certificates at between $600-$900 depending on the issuing company. Code-signing certificates issued by Comodo, Thawte DigiCert and GoDaddy – firms well known for supplying digital credentials to legitimate software developers – are among those on offer. Security experts from Tripwire and CertiVox have the following comments on it.
[su_note note_color=”#ffffcc” text_color=”#00000″]Travis Smith, Senior Security Research Engineer at Tripwire :
“Code signing provides the assurance to users and the operating system that the software is from a legitimate source. Both obtaining and correctly applying the certificates to legitimate software is expensive and complex. Many protection mechanisms, rightfully so, check for the digital certificate. However, it’s possible that additional security measures stop investigating the software beyond this. Attackers can exploit this lapse in security by obtaining certificates and signing their malware. This decreases the ability for attacker automation, but will increase the value of potential loot. For organizations which have valuable data, attackers are going to sacrifice automation for stealthier attacks such as code signed malware.
Organizations should rely on a defense-in-depth security posture so if one defensive mechanism fails, another is in line to detect the attack. For attacks such as this, monitoring the list of both signed and unsigned software in the environment will give security administrators an early indication of compromise.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Brian Spector, CEO of CertiVox :
What is the issue?
“The commercial digital certificate industry is broken, and it needs to be replaced. This latest incident is just one of many whereby the commercial certificate authority’s position as a single point of trust is abused by either lax controls, such as we have here, or indeed by the commercial certificate authority itself, such as the latest Symantec incident or the Trustwave incident before that.
At what point did we collectively believe that these commercial certificate authorities could be the single sources of trust whereby browsers would trust websites or operating systems would trust rouge applications (as detailed in this latest incident). How did Symantec, Trustwave, Comodo and GoDaddy qualify and inherit this position? Simply because these organizations lobbied and paid for the privilege of having a public key embedded into the operating systems of major OS and browser manufacturers, extracting a tax out of website owners and application developers to cover the price of their admission. Nice business model, but it’s failing the Internet.”
What are the implications?
“Fake certificates will destroy the trust architecture on the Internet, and once trust is gone, you can’t get it back. As we have seen time and time again, any determined and well funded attacker can keep trying the myriad of commercial certificate authorities until one with lax controls issues a legitimate code signing certificate. This means that checks in your browser or operating system looking for untrusted applications and websites will fail because the certificate is good. It’s like a criminal posing as a police officer with a real police officer’s badge. How are you supposed to tell the difference? You can’t, and that’s the issue.”
How can this problem be fixed?
“This problem is an architectural problem at the end of the day. It’s insane that one single entity should be a monolithic trust hierarchy. There is no way that ‘patching’ this industry will work, despite the best intentions of Google and other’s to police it. The best thing to do is start over, with a model of distributed or shared trust.”[/su_note]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.